algomaster99
commented
4 years ago I was able to engineer this CSP using the aforementioned tool
default-src * blob: data: 'unsafe-eval' 'unsafe-inline' always;
object-src 'none';
script-src 'none';The only problem it suggested was the script execution so I disabled it using script-src and then somehow it also allowed all sources.
I don't know if I am right but just trying to discuss this more :sweat_smile:
The current NGINX CSP doesn't have much thought put into it. It can sometimes be too restrictive while at the same time having serious holes. A thoughtful, balanced CSP needs to drafted for NGINX as stated by @shaddygarg in #22.